[distcc] Exploit in distcc ( got compromised ;( )
mbp at sourcefrog.net
Thu Aug 26 23:06:35 GMT 2004
On 26 Aug 2004, Sylvain Munaut <tnt at 246tnt.com> wrote:
> On a machine, I had a distcc available to the internet ( yeah, silly me
> ... deactivated a firewall rules for a few hours and forgot to
> reactivate it ... )
> It was a distcc 2.13, I know it's not the latest one. And it was
> exploited to gain a localshell as the distcc user. Hopefully he didn't
> do anything else AFAIK, the root exploit he tried didn't work ( too
> recent kernel installed ).
I'm sorry your machine got compromised.
As Alexandre said, since distcc is basically a remote shell, once
people are allowed to open a connection they can do pretty much
whatever they want inside that userid.
I have updated this to make it more clear:
Do you think that text is OK, or should more be said?
Google finds this attack code
You can see it is more a matter of malice than genius.
If they didn't get root on your machine then there may be a log
message telling you the IP of the connection. You can use that to
trace back to the attack and complain to their network and/or the
police (not that they generally seem to care).
I'd like to make it safer by default; but the protocol probably needs
to use plain TCP for performance. Here are some ideas. What do
people here think?
- Make --allow mandatory; you have to say which networks are trusted
- Use a cleartext shared password; not much protection against
local attackers but it might have helped in this case.
- Work on making SSH more useful, though it will probably never be
- Add weaker built-in encryption; this feels wrong
- Encourage people to choose nonstandard ports
- Try to vet the command line; allow only particular commands. It's
not enough to just say "only run gcc" because an attacker might try to
send output to a file. This couldn't give total protection but it
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/distcc/attachments/20040827/41f2e1a9/attachment.bin
More information about the distcc